Pharma cyber vulnerabilities run deeper than Merck’s ‘NotPetya’ attack: report
What not to do with pharmaceutical company credentials? Use them to connect to social networks, on the one hand, and gaming sites, on the other. You’d think those would be obvious no-no’s, but it’s more common than you might think. And the industry is paying the price in the form of widespread cybersecurity vulnerabilities, according to a recent report by digital risk protection firm Constella Intelligence.
The lesson is clear: not all cybersecurity issues need be as explosive as Merck’s “NotPetya” imbroglio. Behind the headlines are far more common, though still risky, breaches, and the problem is getting worse.
Among the 20 pharmaceutical companies Constella analyzed, five recorded more than 200,000 exposures and data breaches in total, with some climbing as high as 400,000, Jonathan Nelson, digital intelligence specialist at Constella Intelligence, said in an interview.
For its pharmaceutical report, Constella sought to uncover the cybersecurity risks plaguing the world’s top 20 drugmakers by revenue. Risk here refers to the circulation of personal data and other sensitive information that threat actors can use to “infiltrate” corporate networks, Nelson explained.
RELATED: System glitch: BlackBerry vulnerability could expose medical devices, manufacturing tech to hackers, FDA warns
These pharmaceutical vulnerabilities appear when third-party domains are hacked. This often leads to the sale of personal data such as names, passwords and phone numbers on the deep and dark websites. Essentially, what Constella finds is that many employees and executives are using company credentials to log into third-party websites.
“When we see corporate credentials being used on non-essential sites (gaming sites, adult sites, social media sites), it’s an indicator that employees are at serious cyber risk,” a explained Nelson.
Looking at data from January 2018 to September 2021, Constella identified 9,030 breaches or leaks and over 4.5 million exposed records related to employee credentials. These breaches exposed information such as email addresses, passwords, phone numbers and addresses as well as credit card and banking information.
Meanwhile, the problem appeared to worsen in 2021, which is certainly not reassuring given the industry’s pivotal role in the COVID-19 response. Some 59% of total violations and 76% of total exposed records identified in Constella’s pharmaceutical report occurred after 2020, the company noted in a press release.
“We are now at a time where there has been a massive shift towards hybrid remote and distributed remote working, in addition to the fact that intellectual property and the value of intellectual assets and data available for these [drugmakers] increases dramatically,” Nelson said.
Along with worst-case scenarios like supply chain shutdowns and theft of trade secrets, these vulnerabilities can also open the door to reputational issues, especially in the context of a highly politicized debate over vaccination in the United States. United States,” Nelson said.
RELATED: Pfizer/BioNTech Were Not Alone: Moderna COVID-19 Vaccine Data Targeted in EMA Cyberattack
Last summer, the New York Times reported on the enigmatic PR firm Fazze, which tried to recruit social media influencers in France and Germany to make misleading claims about Pfizer’s COVID-19 vaccine. and BioNTech, Comirnaty. When some influencers tried to investigate the company, the lead led to Russia, the NYT wrote.
More and more information gradually emerged about the Russian market agency subsidiary and the widespread disinformation campaigns it was waging against Western-made COVID-19 vaccines. In one instance, Fazze specifically tried to get influencers to post a graphic taken from a leaked AstraZeneca document and claim the British drugmaker’s vaccine was unsafe, The Daily Beast reported last year. It was unclear how Fazze obtained the report, the publication noted at the time.
The enthusiastic shift to remote working, meanwhile, has left companies with little time to adequately update their security practices. “Most of these companies had a traditional physical work model in which their cybersecurity postures were designed and developed for this purpose,” said Nelson of Constella. The rapid move to the virtual office has meant that companies have not had enough time to develop updated protocols and programs, while individuals themselves have not been able to garner sufficient awareness of the cybersecurity, he continued.
Another danger that businesses and individuals might forget to consider? It’s not just employees’ personal information that shows up on deep, dark networks: Information about relatives, banking information and addresses are some of the other attributes that can end up for sale, Nelson said.
RELATED: Hackers hack Pfizer/BioNTech COVID-19 vaccine data in cyberattack targeting EMA
Among pharmaceutical cyberattacks in recent memory, few stand out as much as Merck’s NotPetya incident. The New Jersey drugmaker was among a list of global companies affected by the June 27, 2017 attack, which was ultimately linked to the Russian military. The attack crippled Merck’s internal API production and affected its formulation and packaging systems as well as R&D and other operations.
Merck and its insurers continue to battle for more than $1.4 billion in losses from the attack. Just a few weeks ago, Merck picked up a victory in this fight. Essentially, Merck’s insurers said the cyberattack should be subject to an “act of war” exclusion because it originated from the Russian government as part of its hostility to Ukraine. Merck took the opposite position. In late January, a New Jersey judge ruled that the act of war exclusion did not apply because it was intended for an actual armed conflict.
As for how companies can protect themselves, continuous monitoring is one of the biggest levers, Constella’s Nelson said. Other measures such as company-wide password protocols, use of secure VPNs, and investment in cybersecurity infrastructure suitable for the remote work environment can also help.